PowerSchool Breach Highlights Growing Cybersecurity Risks in America’s Schools

MCPS uses PowerSchool. PowerSchool confirmed earlier this month that it was hacked. PowerSchool is MCPS' student information system. The complete article is here, at the Foundation for Defense of Democracies website. Reported by Senior Policy Analyst Jiwon Ma and intern Mario Riofrio.

PowerSchool, a cloud-based software provider for K-12 schools, confirmed on January 7 that hackers breached its systems late last year, affecting thousands of school districts across the United States and globally. PowerSchool admitted on January 15 that the unnamed hackers accessed all of its 60 million student and teacher records, underscoring the urgent need to integrate cybersecurity into school infrastructure protection strategies and adopt stronger measures to mitigate cyber threats.  

Hackers Stole Student Social Security Numbers 

PowerSchool helps schools manage information and communication needs, using the platform to manage grades, attendance, and other student records. Hackers breached the platform using compromised credentials available on the dark web, pilfering student names and addresses, and, in some cases, Social Security numbers and medical records. Press reports indicate PowerSchool paid a ransom to the attackers in exchange for assurances that they would delete the stolen data. 

Hackers Increasingly Target Schools for Sensitive Data 

The PowerSchool data breach illustrates a growing trend in cyberattacks, which have shifted from traditional ransomware attacks to ones paired with data theft extortion. Instead of encrypting systems and demanding payment for their release, hackers now engage in dual extortion, stealing the sensitive information — instead of or in addition to encrypting it — and threatening its exposure to pressure victims into paying a ransom.  

Meanwhile, American school districts are increasingly exploited by criminal hackers looking for easy targets. From January 2023 to June 2024, at least 83 cyberattacks targeted U.S. K-12 schools. While the number of reported ransomware cases dropped between 2023 and 2024, the true number of incidents is likely higher. Since October 2024, victims have reported at least another 85 additional incidents, reflecting an alarming trend.  

Initial Efforts to Improve Cybersecurity Need a Jumpstart 

Over the past two years, the Biden administration has attempted to focus efforts on the cybersecurity of schools, organizing a “Cybersecurity Summit for K-12 Schools” in August 2023 that featured initiatives by technology companies to provide free and low-cost cybersecurity tools and services. PowerSchool itself partnered with the Cybersecurity and Infrastructure Security Agency to offer free and subsidized cybersecurity training and resources to K-12 schools.  

Meanwhile, late last year, the Federal Communications Commission launched a pilot program to provide $200 million to schools and libraries to purchase cybersecurity products. Building on this momentum, the White House Office of the National Cyber Director announced in December 2024 that thanks to federal funding, all K-12 public schools in Rhode Island will implement a cybersecurity service designed to block harmful websites and protect student data.